Sep 08 2023

CALDERA: FREE OPERATIONAL TECHNOLOGY OT ATTACK EMULATION TOOL TO SECURE ICS, SCADA AND PLC DEVICES

Category: OT/ICS,Scada Security,Security Toolsdisc7 @ 7:23 am

MITRE and the US Cybersecurity and Infrastructure Security Agency (CISA) have collaborated to develop a new open source tool that simulates cyber-attacks on operational technology (OT). The product was published recently.

The MITRE Calder for OT is now accessible to the general public as an addition to the open-source Caldera platform that may be found on GitHub. This would make it possible for cybersecurity specialists who deal with industrial control systems (ICS) to carry out automated adversary simulation exercises. These exercises will have the goal of testing and improving their cyber defenses on a constant basis. In addition to this, this includes security inspections as well as exercises involving red, blue, and purple teams.

This Caldera extension for OT was created via a collaborative effort between CISA and the Homeland Security Systems Engineering and Development Institute (HSSEDI). HSSEDI is a research and development institution that is financed by the federal government and is maintained and run by MITRE on behalf of the Department of Homeland Security (DHS).

The program contributes to the goal of the federal government to strengthen the security of vital infrastructure that is dependent on OT. Some examples of such infrastructure are water and electricity. This objective was elaborated upon in the United States’ National Cybersecurity Strategy, which was published in March 2023, and in the Executive Order on Improving the Nation’s Cybersecurity, which was issued by President Biden in May 2021.
Work done by CISA and HSSEDI to automate opponent emulation simulations in CISA’s Control Environment Laboratory Resource (CELR) served as the foundation for the OT extension, which was developed upon that work. This made it possible to identify hostile strategies that may be implemented in Caldera.

The defensive mechanisms and testing capabilities of critical infrastructure systems are slated to get a boost from the use of these plugins.

These plugins, which are stored in the “caldera-ot” repository, are essential instruments for the protection of operational technology (OT) settings.

They are made available as Git submodules, which enables researchers and experts in the security industry to quickly and readily access them.

The purpose of these plugins is to facilitate enemy simulation inside the OT environment. This was the driving force behind their development.

Because of this, companies are given the ability to strengthen their security defenses and better prepare for possible attacks.

In addition to this, it is compatible with classic use cases for Caldera, such as rigorous testing of security mechanisms and operator training.

The move that has been taken by MITRE marks a major step forward in the continuing endeavor to secure critical infrastructure systems and to strengthen security within the OT sector.

A presentation titled “Emulating Adversary Actions in the Operational Environment with Caldera (TM) for OT” has also been made available by MITRE for individuals who are looking for further information of a more in-depth kind.

Users may apply the following command in order to install the whole collection of Caldera for OT plugins:

git clone https://github.com/mitre/caldera-ot.git –recursive


Individuals also have the option of configuring certain plugins on their own, which allows them to personalize their approach to OT security to meet their unique requirements.

At the moment, the following three important plugins are available:

  1. BACnet Catering to Building Automation and Control Networks (BACnet) protocol.
  2. DNP Addressing the Distributed Network Protocol 3 (DNP3).
  3. Modbus Supporting the Modbus protocol.

Open-Source OT Protocol Libraries That Are Unified And Exposed To Users. Caldera for OT plugins is a service provided by MITRE that aims to standardize and expose open-source OT protocol libraries, making them available for use as protocol-specific plugins. Each plugin comes with its own extensive documentation.

Aligning Security Operations with the MITRE ATT&CK Framework: Level up your security operations center for better security

Cyber Defence Strategy using NIST and MITRE ATT&CK Frameworks

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Caldera, MITRE ATT&CK, MITRE Caldera


Jul 11 2023

How to Apply MITRE ATT&CK to Your Organization

Category: Attack Matrixdisc7 @ 10:50 am
Discover all the ways MITRE ATT&CK can help you defend your organization. Build your security strategy and policies by making the most of this important framework

What is the MITRE ATT&CK Framework?

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a widely adopted framework and knowledge base that outlines and categorizes the tactics, techniques, and procedures (TTPs) used in cyberattacks. Created by the nonprofit organization MITRE, this framework provides security professionals with insights and context that can help them comprehend, identify, and mitigate cyber threats effectively.

The techniques and tactics in the framework are organized in a dynamic matrix. This makes navigation easy and also provides a holistic view of the entire spectrum of adversary behaviors. As a result, the framework is more actionable and usable than if it were a static list.

The MITRE ATT&CK Framework can be found here: https://attack.mitre.org/

Look Out: MITRE ATT&CK Framework Biases

According to Etay Maor, Senior Director of Security Strategy at Cato Networks, “The knowledge provided in the MITRE ATT&CK framework is derived from real-world evidence of attackers’ behaviors. This makes it susceptible to certain biases that security professionals should be aware of. It’s important to understand these limitations.”

  • Novelty Bias – Techniques or actors that are new or interesting are reported, while techniques that are being used over and over are not.
  • Visibility Bias – Intel report publishers have visibility biases that are based on how they gather data, resulting in visibility for some techniques and not others. Additionally, techniques are also viewed differently during incidents and afterward.
  • Producer Bias – Reports published by some organizations may not reflect the broader industry or world as a whole.
  • Victim Bias – Some victim organizations are more likely to report, or to be reported on, than others.
  • Availability Bias – Report authors often include techniques that quickly come to mind in their reports.

MITRE ATT&CK Defender Use Cases

The MITRE ATT&CK framework helps security professionals research and analyze various attacks and procedures. This can help with threat intelligence, detection and analytics, simulations, and assessment and engineering. The MITRE ATT&CK Navigator is a tool that can help explore and visualize the matrix, enhancing the analysis for defensive coverage, security planning, technique frequency, and more.

Etay Maor adds, “The framework can go as deep as you want it to be or it can be as high level as you want it to be. It can be used as a tool to show the mapping and if we’re good or bad at certain areas, but it could go as deep as understanding the very specific procedure and even the line of code that was used in a specific attack.”

Here are a few examples of how the framework and the Navigator can be used:

Threat Actor Analysis

Security professionals can leverage MITRE ATT&CK to investigate specific threat actors. For example, they can drill down into the matrix and learn which techniques are used by different actors, how they are executed, which tools they use, etc. This information helps investigate certain attacks. It also expands the researchers’ knowledge and way of thinking by introducing them to additional modes of operation attackers take.

At a higher level, the framework can be used to answer C-level questions about breaches or threat actors. For example, if asked- “We think we might be a target for Iranian nation state threat actors.” The framework enables drilling down into Iranian threat actors like APT33, showing which techniques they use, attack IDs, and more.

Multiple Threat Actor Analysis

Apart from researching specific actors, the MITRE ATT&CK framework also allows analyzing multiple threat actors. For example, if a concern is raised that “Due to recent political and military events in Iran we believe there will be a retaliation in the form of a cyber attack. What are the common attack tactics of Iranian threat actors?”, the framework can be used to identify common tactics used by a number of nation-state actors.

Here’s what a visualized multiple threat actor analysis could look like, with red and yellow representing techniques used by different actors and green representing an overlap.

Gap Analysis

The MITRE ATT&CK framework also helps analyze existing gaps in defenses. This enables defenders to identify, visualize and sort which ones the organization does not have coverage for.

Here’s what it could look like, with colors used for prioritization.

Atomic Testing

Finally, the Atomic Red Team is an open source library of tests mapped to the MITRE ATT&CK framework. These tests can be used for testing your infrastructure and systems based on the framework, to help identify and mitigate coverage gaps.

The MITRE CTID (Center for Threat-Informed Defense)

The MITRE CTID (Center for Threat-Informed Defense) is an R&D center, funded by private entities, that collaborates with both private sector organizations and nonprofits. Their objective is to revolutionize the approach to adversaries through resource pooling and emphasizing proactive incident response rather than reactive measures. This mission is driven by the belief, inspired by John Lambert, that defenders must shift from thinking in lists to thinking in graphs if they want to overcome attackers’ advantages.

Etay Maor comments, “This is very important. We need to facilitate collaboration between the Defenders across different levels. We’re very passionate about this.”

A significant initiative within this context is the “Attack Flow” project. Attack Flow tackles the challenge faced by defenders, who often focus on individual, atomic attacker behaviors. Instead, Attack Flow uses a new language and tools to describe the flow of ATT&CK techniques. These techniques are then combined into patterns of behavior. This approach enables defenders and leaders to gain a deeper understanding of how adversaries operate, so they can refine their strategies accordingly.

You can see here what an Attack Flow looks like.

With these attack flows, defenders can answer questions like:

  • What have adversaries been doing?
  • How are adversaries changing?

The answers can help them capture, share and analyze patterns of attack.

Then, they will be able to answer the most important questions:

  • What is the next most likely thing they will do?
  • What have we missed?

CTID invites the community to participate in its activities and contribute to its knowledge base. You can contact them on LinkedIn.

To learn more about the MITRE ATT&CK framework, watch the entire masterclass here.

Aligning Security Operations with the MITRE ATT&CK Framework: Level up your security operations center for better security

CISSP training course

InfoSec tools | InfoSec services | InfoSec books

Tags: MITRE ATT&CK


Feb 17 2023

The Top 10 Most Prevalent MITRE ATT&CK Techniques used by Adversaries

Category: Attack MatrixDISC @ 1:03 pm

The Top 10 Most Prevalent MITRE ATT&CK Techniques Used by Adversaries – Report via Picus Security

ATT&CK Matrix for Enterprise

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: MITRE ATT&CK


Nov 10 2022

CrowdStrike Achieves 99% Detection Coverage in First-Ever MITRE ATT&CK Evaluations for Security Service Providers

Category: Attack Matrix,Information SecurityDISC @ 3:20 pm
  • CrowdStrike achieved 99% detection coverage by conclusively reporting 75 of the 76 adversary techniques during the MITRE ATT&CK evaluation.
  • Leveraging the power of the CrowdStrike Falcon® platform with integrated threat intelligence and patented tooling, the CrowdStrike Falcon® Complete and CrowdStrike® Falcon OverWatch™ managed threat hunting teams identified the adversary and associated tradecraft within minutes.
  • Closed-book evaluations such as this provide the most realistic reflection of how a security vendor would perform in a customer environment. CrowdStrike’s combination of market-leading technology and elite human expertise led the evaluation, which is the gold standard in managed detection and response testing.  
  • MITRE does not rank or rate participants; the following is CrowdStrike’s analysis of the results provided by MITRE Engenuity.

Tags: CrowdStrike, MDR, MITRE ATT&CK, MITRE ATT&CK Evaluations, Security Service Providers


Nov 08 2021

MITRE ATT&CK Update Covers Insider Threat Attack Techniques

Category: Attack MatrixDISC @ 10:39 am

Unmasking/Uncovering the Real Insider Threat

According to the Verizon 2021 Data Breach Investigations Report, insiders are responsible for around 22% of security incidents. That is clearly a significant number and insider threats are quickly becoming one of the most common cybersecurity threats organizations face today. The challenge that continues to remain high with insider threats is that it is difficult to differentiate between normal and abnormal user behavior for any user since they already have access to the environment compared to external threats. Therefore, it makes a very important case to correlate content, threat and behavior to make an accurate prediction for an insider threat. 

The significance of insider threats can be seen in the last update by MITRE where the version of ATT&CK for Enterprise contains 14 Tactics, 185 Techniques, and 367 Sub-techniques, among which are those used in insider threat attacks. In this analysis, we’ll look at a selection of the techniques published in the update and examine how they are used, the motivations and the types of attacks they are used for. 

What is Considered an Insider Threat?

An insider threat is a security threat that originates internally from within an organization. It’s usually someone who uses their authorized access—intentionally or unintentionally—to compromise an organization’s network, data or devices. Due to the authorized access, the attacker doesn’t need to raise a request or hack some credentials to gain access. There are three most common categories of an inside attacker. 

  • Malicious Insider â€“ As the name suggests, the malicious insider is an employee or contractor who conducts nefarious activities that may or may not be financially motivated to gain or steal information.
  • Compromised Insider â€“ This is a scenario where user credentials are compromised with the attacker using the compromised account to gain or steal information. In most cases the main target of these attacks are employees who are easily targeted via phishing. 
  • Negligent Insider â€“ Negligent insiders are people who make errors and disregard policies, which place their organizations at risk. There is a huge uptick in this type of attacks as we see more and more configuration errors, which results in exposing internal data of the organization to the public. 

Let’s take a look at some of the recent insider attacks to understand the magnitude of the impact.  – Updated MITRE ATT&CK TTPs Used in Insider Threat Attacks

ATT&CK™ Framework and open source tools

Tags: MITRE ATT&CK


Oct 29 2021

CVE + MITRE ATT&CK® to Understand Vulnerability Impact

Category: Attack Matrix,Information SecurityDISC @ 8:56 am

Historically, vulnerability management and threat management have been separate disciplines, but in a risk-focused world, they need to be brought together. Defenders struggle to integrate vulnerability and threat information and lack a consistent view of how adversaries use vulnerabilities to achieve their goals. Without this context, it is difficult to appropriately prioritize vulnerabilities.

To bridge vulnerability management and threat management, the Center for Threat-Informed Defense, with support from participants including AttackIQ and JP Morgan Chase, developed a methodology to use the adversary behaviors described in MITRE ATT&CK® to characterize the impact of vulnerabilities from CVE®. Vulnerability reporters and researchers can use the methodology to describe the impact of vulnerabilities more clearly and consistently. When used in a vulnerability report, ATT&CK’s tactics and techniques enable defenders to quickly understand how a vulnerability can impact them, helping defenders integrate vulnerability information into their risk models and identify appropriate compensating security controls.

This methodology aims to establish a critical connection between vulnerability management, threat modeling, and compensating controls. CVEs linked to ATT&CK techniques can empower defenders to better assess the true risk posed by specific vulnerabilities in their environment. We have applied the methodology and mapped several hundred CVEs to ATT&CK to validate the model and demonstrated its value. To fully realize our goal, we need community support to apply the methodology at scale.

Mapping CVE-2018–17900

Mitre Att&ck Framework: Everything you need to know by Peter Buttler

Practical Threat Intelligence and Data-Driven Threat Hunting: A hands-on guide to threat hunting with the ATT&CK™ Framework and open source tools

Tags: MITRE ATT&CK


Oct 25 2021

Released: MITRE ATT&CK v10

Category: Attack MatrixDISC @ 7:14 am

MITRE Corporation has released the tenth version of ATT&CK, its globally accessible (and free!) knowledge base of cyber adversary tactics and techniques based on real-world observations.

Version ten comes with new Data Source objects, new and changed techniques in its various matrices, key changes to facilitate hunting in ICS environments, and more.

MITRE ATT&CK v10

MITRE ATT&CK v10

The most prominent change in this newest version of the framework is new objects with aggregated information about data sources.

“The data source object features the name of the data source as well as key details and metadata, including an ID, a definition, where it can be collected (collection layer), what platform(s) it can be found on, and the data components highlighting relevant values/properties that comprise the data source,” MITRE ATT&CK Content Lead Amy L. Robertson and cybersecurity engineers Alexia Crumpton and Chris Ante explained.

“These data sources are available for all platforms of Enterprise ATT&CK, including our newest additions that cover OSINT-related data sources mapped to PRE platform techniques.”

Changes in ATT&CK for ICS and the Mobile matrices are focused on providing all the features currently provided in the Enterprise matrices.

“v10 also includes cross-domain mappings of Enterprise techniques to software that were previously only represented in the ICS Matrix, including Stuxnet, Industroyer, and several others. The fact that adversaries don’t respect theoretical boundaries is something we’ve consistently emphasized, and we think it’s crucial to feature Enterprise-centric mappings for more comprehensive coverage of all the behaviors exhibited by the software,” they added.

The complete release notes for MITRE ATT&CK v10 can be found here.

Tags: cyber attack, MITRE ATT&CK, MITRE ATT&CK v10


Mar 11 2021

Get More Value from NIST CSF, MITRE ATT&CK and COSO ERM with RiskLens

Category: Attack Matrix,NIST CSFDISC @ 11:13 pm

MITRE ATT&CK matrices

MITRE ATT&CK is a tool to help cybersecurity teams get inside the minds of threat actors to anticipate their lines of attack and most effectively position defenses. MITRE ATT&CK works synergistically with FAIR to refine a risk scenario (“threat actor uses a method to attack an asset resulting in a loss”).

Enter an asset into the MITRE ATT&CK knowledge base and it returns a list of likely threat actors and their methods to inform a risk scenario statement. It also helps to fill in color and detail for the FAIR factors, such as the relative strength of threat actors likely to go after an asset or the resistance strength of the controls around the asset, as well as the frequency of attack one might expect from these actors, based on internal or industry data (housed in the Data Helpers and Loss Tables on the RiskLens platform). All these are ultimately fed into the Monte Carlo simulation engine to show probable loss exposure for the scenario. The data we collect on our assets and threat actors can be stored in libraries on the platform for repeat use.

MITRE ATT&CK also suggests controls for mitigation efforts specific to attacks. As with the controls suggested by NIST CSF, we can assess those in the platform for cost-effectiveness in risk reduction in financial terms.

Finally, RiskLens + MITRE ATT&CK can help refine tactics for the first line of defense. With a clear sense of top risk scenarios generated by RiskLens, and a clear sense of attack vectors for those scenarios, the SOC can better prioritize among the many incoming alerts based on potential bottom-line impact.

Tags: MITRE ATT&CK